There is much to be said (and much has already been said) about the need for privacy and security and protections in the case of Anthem, just as "helpful hints" have been provided after the fact to victims of all significant data breaches. My reaction, when reading about the unencrypted SSNs that were accessed in this attack, was: Why in the world are we using social security numbers as ID numbers? It doesn't have to be this way.

January 30, 2015

Over a year ago, the Federal Trade Commission held an Internet of Things workshop and it has finally issued a report summarizing comments and recommendations that came out of that conclave.

As in the case of the HITECH Act's attempt to increase public confidence in electronic health records by ramping up privacy and security protections for health data, the IoT report -- and an accompanying publication with recommendations to industry regarding taking a risk-based approach to development, adhering to industry best practices (encryption, authentication, etc.) -- seeks to increase the public's confidence, but is doing it the FTC way: no actual rules, just guidance that can be used later by the FTC in enforcement cases. The FTC can take action against an entity that engages in unfair or deceptive business practices, but such practices are defined by case law (administrative and judicial), not regulations, thus creating the U.S. Supreme Court and pornography conundrum -- I can't define it, but I know it when I see it (see Justice Stewart's timeless concurring opinion in Jacobellis v. Ohio).

Medicare has been talking about value based purchasing for decades now, and thus far has taken baby steps towards implementation. Even the strides taken in recent years, and the targets laid out this week for the future, don't really leave FFS medicine in the dust. ACOs and other MSSP innovations don't entirely move away from FFS reimbursement; they just add cost and quality kickers as part of a retrospective reconciliation.

Read them all. Agree or disagree. Most important of all: Work to make your own predictions come true.

For those of you dying to know what I had to say, have at it:

What was the most significant health IT development over the past year?

The continued slow but steady development of asynchronous telehealth services, leveraging resources such as wireless monitoring devices, which was potentially supercharged by the development of consumer-centric health data platforms by big consumer electronics firms.

December 15, 2014

The Accountable Care Organization regulations were first promulgated under authority of the ACA's Medicare Shared Savings Program in 2011. Three years later, the regs are in the shop for a tune-up. Farzad Mostashari MD was one of the authors of the Brookings Institution ACO issue brief released in the spring, suggesting some changes to the program that would keep current ACOs engaged past the end of their three-year contract term, and improving the program overall. Dr. Mostashari, former National Coordinator for Health IT, is now the founder and CEO of Aledade, a startup focused on helping physician organizations develop ACOs. With a level of excitement shared only by a small coterie of health wonks -- and usually reserved for video recordings of unboxing the latest hi-tech toy -- Farzad livetweeted his reading of the 429-page typewritten version of the proposed ACO rule when it was released late last Monday. (See the CMS Fact Sheet on Proposed Changes to the MSSP and the Aledade post on the proposed reg.

The rule was published officially on December 8, with a 60-day comment period. I had the opportunity to interview Dr. Mostashari about the new rule. As he noted in our conversation, CMS is calling for input on a variety of issues, so don't be shy, especially if you have some data to back up your suggestions on the choices that remain to be made in this rulemaking process.

December 11, 2014

Is it the best thing since sliced bread? Is it really a better mousetrap? Does it really have that special sauce?

The term "disruptive innovation" gets bandied about quite a bit, and in recent weeks and months, it has been applied to the designs of Patrick Soon-Shiong and Elizabeth Holmes on changing medicine and health care. The former is focused on cancer diagnostics and treatments, the latter, on blood tests. Each has been the subject of paeans in the press, but questions have been raised -- less broadly -- about the claims they are making. Setting aside for the moment the question of whether talk of disruptive innovation is in itself "woo," let's take a look at these two entrepreneurs and their current projects.

Hospitals reported 1.3 million fewer hospital-acquired infections in all between 2011-2013 compared to the rate of mistakes that hospitals made in 2010, according to the report from the Department of Health and Human Services. That represented a 17 percent drop in hospital errors from 2010, but about 12 percent of all hospitalizations as of 2013 still experienced an adverse event during the course of care.

The reduction of these avoidable incidents — such as falls, pressure ulcers, adverse drug events and more — meant $12 billion in savings to the health-care system between 2011 and 2013, according to HHS.

November 20, 2014

Welcome to Health Wonk Review, the bi-weekly blog carnival featuring the latest and greatest blogging by a staggeringly wonkish agglomeration of health care policy nerds. The last edition of Health Wonk Review was hosted at Wing of Zock. The story behind the name of that blog seems (to this health wonk, at least) oddly relevant to this edition's theme, given the recent news that the construction costs of the new presidential palace in Turkey seem to have doubled ... again.

Well, our frame this week is the other turkey, the turkey that will lull many of us into a stupor late next week, and the health care policy decisions (and decisionmakers) that sometimes make us wish we were in more of a stupor ... so as to lessen the pain. Top of mind in that department this week is #GruberGate:

November 14, 2014

This week, Connecticut joined at least nine other states (DE, KY, ME, MN, MO, NC, TN, UT, WV -- see cases cited in the opinion, linked to below) in recognizing that, while HIPAA does not create a private right of action for violation of privacy, it does constitute a standard against which the actions of a defendant in such a case will be judged. In other words, if a covered entity or business associate or downstream contractor releases PHI other than in accordance with HIPAA (i.e., for treatment, payment or health care operations purposes, or to or at the direction of the data subject or his or her legal representative), the breach of the HIPAA rule may be the basis for a finding of a breach of a duty of care in a state court negligence action.

[A]ssuming, without deciding, that Connecticut's common law recognizes a negligence cause of action arising from health care providers' breaches of patient privacy in the context of complying with subpoenas, we agree with the plaintiff and conclude that such an action is not preempted by HIPAA and, further, that the HIPAA regulations may well inform the applicable standard of care in certain circumstances . . . .